revoke deployer key from timelock admin

smartcontractkit · Dec 16, 2024 · 02d721d · 02d721d
1 parent a6b3b0b
commit 02d721d
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 0 deletions.
diff --git a/deployment/common/changeset/transfer_to_mcms_with_timelock.go b/deployment/common/changeset/transfer_to_mcms_with_timelock.go
@@ -211,3 +211,35 @@ func TransferToDeployer(e deployment.Environment, cfg TransferToDeployerConfig)
 	e.Logger.Infof("deployer key accepted ownership tx %s", tx.Hash().Hex())
 	return deployment.ChangesetOutput{}, nil
 }
+
+var _ deployment.ChangeSet[RevokeTimelockDeployerConfig] = RevokeTimelockDeployer
+
+type RevokeTimelockDeployerConfig struct {
+	ContractAddress common.Address
+	ChainSel        uint64
+}
+
+// RevokeTimelockDeployer revokes the deployer key from administering the contract.
+func RevokeTimelockDeployer(e deployment.Environment, cfg RevokeTimelockDeployerConfig) (deployment.ChangesetOutput, error) {
+	contracts, err := MaybeLoadMCMSWithTimelockState(e, []uint64{cfg.ChainSel})
+	if err != nil {
+		return deployment.ChangesetOutput{}, err
+	}
+	tl := contracts[cfg.ChainSel].Timelock
+	if tl == nil {
+		return deployment.ChangesetOutput{}, fmt.Errorf("timelock not found on chain %d", cfg.ChainSel)
+	}
+	admin, err := tl.ADMINROLE(&bind.CallOpts{})
+	if err != nil {
+		return deployment.ChangesetOutput{}, fmt.Errorf("failed to get admin role: %w", err)
+	}
+	tx, err := tl.RevokeRole(e.Chains[cfg.ChainSel].DeployerKey, admin, e.Chains[cfg.ChainSel].DeployerKey.From)
+	if err != nil {
+		return deployment.ChangesetOutput{}, fmt.Errorf("failed to revoke deployer key: %w", err)
+	}
+	if _, err := deployment.ConfirmIfNoError(e.Chains[cfg.ChainSel], tx, err); err != nil {
+		return deployment.ChangesetOutput{}, err
+	}
+	e.Logger.Infof("revoked deployer key from owning contract %s", cfg.ContractAddress)
+	return deployment.ChangesetOutput{}, nil
+}
diff --git a/deployment/common/changeset/transfer_to_mcms_with_timelock_test.go b/deployment/common/changeset/transfer_to_mcms_with_timelock_test.go
@@ -1,8 +1,10 @@
 package changeset
 
 import (
+	"encoding/hex"
 	"testing"
 
+	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/stretchr/testify/require"
 
@@ -78,3 +80,42 @@ func TestTransferToMCMSWithTimelock(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, e.Chains[chain1].DeployerKey.From, o)
 }
+
+func TestRevokeTimelockDeployer(t *testing.T) {
+	lggr := logger.TestLogger(t)
+	e := memory.NewMemoryEnvironment(t, lggr, 0, memory.MemoryEnvironmentConfig{
+		Chains: 1,
+		Nodes:  1,
+	})
+	chain1 := e.AllChainSelectors()[0]
+	e, err := ApplyChangesets(t, e, nil, []ChangesetApplication{
+		{
+			Changeset: WrapChangeSet(DeployMCMSWithTimelock),
+			Config: map[uint64]types.MCMSWithTimelockConfig{
+				chain1: proposalutils.SingleGroupTimelockConfig(t),
+			},
+		},
+	})
+	require.NoError(t, err)
+	addrs, err := e.ExistingAddresses.AddressesForChain(chain1)
+	require.NoError(t, err)
+
+	state, err := MaybeLoadMCMSWithTimelockChainState(e.Chains[chain1], addrs)
+	require.NoError(t, err)
+
+	tl := state.Timelock
+	require.NotNil(t, tl)
+
+	// WHAT AM I DOING HERE? HOW DO I TEST?
+	adminRole, err := tl.ADMINROLE(nil)
+	require.NoError(t, err)
+
+	r, err := tl.GetRoleAdmin(&bind.CallOpts{}, adminRole)
+	require.NoError(t, err)
+	h := hex.EncodeToString(r[:])
+	t.Logf("admin role: %s", h)
+	a := common.BytesToAddress(r[:])
+
+	require.Equal(t, a, e.Chains[chain1].DeployerKey.From)
+
+}